Since 2004, a source for ranting, reviews and InfoSec news

Menu

User Education

Over at the impactalabs blog, Kevin Lam comments about a company that sent an all employee email waring users about a IKEA phishing/malware email.
This hit something that I’ve been forced to re-examine this week. Is it effective to send all employee emails warning about the latest virus attack on the internet.
I believe that if you find yourself sending all employee emails about security to users regularly then you should examine the technology you’ve chosen. Why is it leaking like a sieve. To send an emergency email about a security threat, the email should be timely and actionable. In our case, if we dont know of a single email getting through to the users is it really necessary to warn them? The only answer I see is that they may infect us through using the ISPs webmail or checking personal email when outside our firewall.
Is it really necessary to raise security awareness through dire warnings about things that dont effect the user anyway? It seems more appropriate for a Security Awareness newsletter or website. That is assuming users are trainable, which is a whole ‘nother story.

One Comment

I’ve found that it can be very effective if I keep up the user training via email . Simple reminders and generic cases in short, easy-to-read and understand language help keep infosec in the minds of the users.
On the other hand, firing off warning messages about specific viruses is kinda pointless and never seems to work.
Regarding newsletters and the security awareness website, it seems the only people who actually read that are the IT staff. Even then, it’s a relatively small readership. Too much doom and gloom seems to have turned off the readership.